digest_file_auth man page

digest_file_auth is an installed binary authentication program for Squid. It handles digest authentication protocol and authenticates against a text file backend. This program will automatically detect the existence of a concurrecy channel-ID and adjust appropriately. It may be used with any value 0 or above for the auth_param children concurrency= parameter.

To build a directory integrated backend, you need to be able to calculate the HA1 returned to squid. To avoid storing a plaintext password you can calculate MD5(username:realm:password) when the user changes their password, and store the tuple username:realm:HA1. then find the matching username:realm when squid asks for the HA1.

This implementation could be improved by using such a triple for the file format. However storing such a triple does little to improve security: If compromised the username:realm:HA1 combination is "plaintext equivalent" - for the purposes of digest authentication they allow the user access. Password syncronisation is not tackled by digest - just preventing on the wire compromise.